Formal is a security startup coming out of stealth on Tuesday with a nice list of investors and an interesting product positioning. The company has designed a reverse-proxy for data stores and APIs so that security teams can more easily secure access to sensitive data.
In more practical terms, Formal is a proxy that you deploy in your virtual private cloud (VPC) where it logs every request made to your data stores — say a database with customer information for instance — and enforces access policies.
Formal is the brainchild of founder Mokhtar Bacha, a 24-year-old who began his tech career at Consensys while still a teen, before getting the bug to turn solo entrepreneur.
“At the age of 17, I was lucky enough to connect with one of the co-founders of Ethereum — a guy named Joseph Lubin — and to be recruited as a software engineer [for Consensys], which is behind MetaMask and other wallets and more,” Bacha told TechCrunch.
“Technically, it was incredibly interesting. But I didn’t feel like I was working on something that was very useful,” he added, explaining that this led him to applying to Y Combinator as a solo founder when he was still just 19 (with Maytana, a cash management platform for multinational startups).
A pivot later, his initial startup idea became Formal, a security product that chief information security officers (CISOs) and CTOs may find useful.
In late 2023, Formal raised a $5.8 million seed round with Thrive Capital leading the round and participation from Y Combinator. Abstract Ventures, Kima Ventures and a bunch of business angels, including Alexis Lê-Quôc, Charles Gorintin, Mathilde Collin, Aaron Katz, Jean-Denis Greze, and Matt MacInnis, also joined the round.
Access and control
While data access management isn’t new, what makes Formal special is that you can add or remove data stores and applications without having to manually configure each new component in your stack with a new security policy.
“With the growth of the modern data stack and the transition to the cloud and to AI, basically there were too many different types of tools, too many different types of applications and users that were consuming data,” Bacha suggested.
Formal acts as an abstraction layer for visibility on and control of data flows. After deploying the Formal Connector in your infrastructure, and updating every application to tell them to use the proxy, each query is checked against Formal’s policy engine to dynamically mask or filter data.
“If I am a software engineer based in the U.S., I shouldn’t see data of European customers. And therefore the proxy will automatically mask and redact the data of the European customers,” Bacha explained.
For instance, for a Postgres database, instead of directly “talking” to the Postgres database when you query the database, employees interact with the Formal Postgres proxy. This new step is what makes it easier to enforce access policies — and potentially help customers stay on the right side of laws such as the E.U.’s General Data Protection Regulation.
“For the engineering teams that are creating data, let’s say from their laptops, we have an agent that customers can deploy that will automatically redirect the traffic to the proxy without, actually, the engineering teams even noticing,” Bacha added.
Formal’s customers include Gusto, Notion, and Ramp. While it’s still a relatively new startup, these are companies that tend to handle sensitive data, such as HR records and financial statements. So having such early adopters is an encouraging sign for Formal’s security model.